Data protection law contains rules about transferring personal information to receivers located outside the UK. We refer to these as restricted transfers.
You must ensure that one of the following apply:
- the transfer is covered by ‘adequacy regulations’. This means that the country you plan to send the information to has ‘adequate’ protection for people’s personal information;
- there are appropriate safeguards in place. This means that if there are no UK adequacy regulations in place for that country, you must do an assessment to check that relevant UK GDPR protections are not undermined for people whose information is transferred; or
- the transfer is covered by an exception.
Further reading